There are good passwords and bad passwords, but none of them are totally secure. Researchers at the American University of Beirut, Lebanon, are working on strengthening an approach to password security that's not just about what you type, but how you type it.

Ravel Jabbour, Wes Masri and Ali El-Hajj of the American University of Beirut have developed software that aims to improve upon past attempts at linking password authentication to the the speed and rhythm of the user's keystrokes, a method called key-pattern analysis (KPA).

Instead of just measuring the time-lapse between keystrokes, the researchers also measure how long each key remains depressed. They argue that this extra parameter of "intra" timing significantly boosts reliable authentication and improves the overall KPA approach.

Modified keyboards that measure keystroke pressure represent another avenue for, but this approach works on a standard keyboard. It would work like this:

  • the user enters their password multiple times to set-up a log-in;
  • the program creates a user profile based on intra and inter timing and other parameters like the relationships between two keys (digraph) and three keys (trigraph);
  • this profile is stored for comparison when the user logs-in again.
  • It's a bit of a double-edged sword because the longer and more complex the password, the harder it is to repeatedly type it in with the same rhythm. The researchers acknowledge the trade-off - it's a matter of finding a "sweet spot" between length and reliable typing. I know that if I had a choice between a longer password and a system that stopped someone with my password written down in front of them from gaining access, I'd choose the latter.

    The researchers say they have also integrated secure "group" functionality into the system to cater for another possible drawback - the ability to share passwords when you do want someone else to have log-in access.

    The Paper "Optimising password security through key-pattern analysis" is published in the International Journal of Internet Technology and Secured Transactions.